Criminals have found a workaround that allows them to bypass the robust phishing protections that Apple has built into iOS, according to BleepingComputer.
The operating system will automatically disable links in text messages that come from unknown numbers. However, if an iPhone user replies to a message, Apple’s tech reenables the links under the assumption that the recipient trusts the sender.
To exploit this mechanism, criminals are adding language at the end of their texts, instructing users to reply. Users are asked to respond with “yes,” “no,” or “stop” to perform actions like confirming appointments or opting out of communication. By including similar instructions in their phishing messages, criminals are hoping to trick users into replying to their message—and re-engaging with malicious links.
“For a long time, it felt like financial institutions were the only organizations with any real accountability and responsibility in detecting scams and preventing consumers from interacting with cybercriminals and authorizing transactions or sharing sensitive information that could lead to further fraudulent activity,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “The reality is, several industries have skin in the game, especially technology companies like telecommunications (e.g., Verizon and AT&T) and global mobile phone operating systems (e.g., Apple and Samsung).”
A Gateway to Phishing Attacks
According to BleepingComputer, iPhone users have received fake texts about USPS shipping issues and unpaid road tolls. The links were initially disabled, so users were directed to, “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it.”
Following the instructions in these messages would initiate a fraud attack, but even replying could expose the user to risk. A reply lets the criminals know that the number is active, making the user a potential target for other types of phishing attacks.
Fraud at Scale
Criminals have continued to search for vulnerabilities in tech platforms they can exploit for phishing operations. Recently, the chief information security officer at cybersecurity company Fortiguard received an email that appeared to be from PayPal and used legitimate PayPal channels. The “no-phish” scam raised concerns in the cybersecurity community because of how difficult it is to detect.
Criminals are increasingly able to send messages that impersonate major companies, and they are often employing sophisticated technology like artificial intelligence to send convincing communications at scale. It’s imperative for users to avoid clicking on links or replying to texts from unknown sources. Instead, recipients should directly contact the organization that allegedly sent the message to verify its legitimacy.
“Consumers continue to adopt payments innovation like digital payment methods (e.g., digital wallets and P2P methods) and expanding ecommerce, which means more sensitive consumer information is being collected and stored by a growing number of companies,” Sando said. “Financial institutions can’t be the only ones preventing scam activity, especially when much of this fraudulent activity starts with the criminal reaching out through a text or email received on a consumer’s phone.”
